Raven White proposes a new authentications system Blue Moon Authentication in the trend to replace typical password challenge by a more user friendlier (and less memory requesting) one.
The authentication will ask you your dislike and like choices on 15 questions. If you have right on a large numbers, you are authenticated. The initialization of the system requires you to select 8 like topics and 8 dislike topics among a selection of about 70 topics.
:Happy: The choice of the topics seem to have been done nicely. Interview of a sample of users of about 200 topics has allowed to reject the topics that have the less entropy. Some Human Computer Interaction specialists participated.
:Sad: The distribution of 8 like and 8 dislike helps a lot when trying to guess the answer. Remember that the challenge is about 15 topics. Mathematically, you need to end up with 7 from one side and 8 from the other side. I did not do the math, but it decreases the space of exploration. I’m too lazy It is too late, and the day was hard) to calculate but is is less than 2^14 trials. Of course, if you know a little bit the person you want to impersonate, the odds are definitively changing.
:Sad: The system is supposed to remove the burden of password replacement. Nevertheless, with such a limited challenge, you will have necessary to block any brute force attack. Once the user is blacklisted, how will he be reauthorized? Through which authentication mechanism? Password?
I did not read the papers. I will do soon.
It reminds me the authentication based on the selection of pictures or icons among a set of pictures.
Would you trust this authentication process?